Cyber-Liability and Data Loss Claims: A Clase Study From Notice of Occurrence Through Conclusion


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cyber-Liability and Data Loss Claims: A Clase Study From Notice of Occurrence Through Conclusion

  1. 1. Cyber Liability and Data Loss Claims: A Case Study From Notice of Occurrence Through Conclusion Part I – The “Reasonable” Perils of Data Security Yanai Z. Siegel, Esq. Counsel, Shafer Glazer, LLP New York, NY
  2. 2. Data Breaches “When we think about data breaches, we often worry about malicious minded computer hackers exploiting software flaws, or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is that errors and negligence within the workplace are a significant cause of data breaches that compromise sensitive personal information.” Privacy Rights Clearinghouse March 6, 2012 3
  3. 3. Privacy Studies  In-depth survey of recent data breach incidents: • 8% due to external cyber attack • 22% due to malicious employees or other insiders • 37% due to malicious or criminal attacks • 39% due to negligence • Survey permitted attribution of events to two causes. • Loss of laptops or other mobile devices topped survey • Mishandling of data “at rest” or “in motion” were major contributors. The Human Factor in Data Protection, Ponemon Institute, 2012
  4. 4. Negligent Document Disposal  Rock Bottom Auto Sales, December 7, 2012 • 8 Bags of Credit Applications • Contained Names, Driver’s License Info, SSN’s • Found unattended on a dirt road in Hudson, Florida  West Pittsburgh Partnership, December 10, 2012 • Job Placement Documents found in a dumpster • All Contained Names and SSN’s  Internal Revenue Service, 2008 • Disposed of taxpayer documents as regular waste • Failed to consistently verify that contractors with access to those documents passed background checks.
  5. 5. Data In Motion  Unencrypted Laptop Lost • Univ. of Mississippi Medical Center,March 22, 2013 • Contained patient names, SSN’s, addresses, diagnoses, PII • Only protected by a password  Unencrypted USB Flash Drive Stolen • Georgia Middle School Teacher’s car on January 8, 2013 • Unencrypted flash drive containing student SSN’s  Unencrypted Backup Tapes Missing in Transit • TD Bank, March 2012… reported by Calif. AG March 2013 • Contained Customers & dependents SSN’s, account info, credit and debit card numbers and addresses
  6. 6. Data At Rest  South Carolina Department of Revenue, October 2012 • Employee clicked on a link in a “salacious” email. • Compromised computer inside security perimeter • 3.8 Million Tax Records accessed by “international hackers.”  Town of Brookhaven, New York. June 6, 2013 • Law Enforcement employee failed to click “No Public Access” • On post to town website. • SSN’s of 78 Ambulance workers and beneficiaries published • Attached to town resolution.
  7. 7. State Statutory Law – U.S.  46 States have Data Breach statutes or regulations • May include provisions mandating notice • To state agencies • To Law Enforcement • To Affected Individuals  Many have additional state-level Data Privacy Laws • New York General Business Law §399-h: • Disposal of Records Containing Personal Information. • “Record” – Any information kept, held or filed • “Personal Information” – containing SSN, Driver’s License, and more… • When either data is unencrypted or • Encrypted with key included in the same record as the personal info. • “Personal Identification Number” • Any number or code which may be used… to assume the identity of another person or access financial resources or credit of another person.
  8. 8. New York State Record Disposal Requirement  “Business Person” • Any natural person, or agent or employee of such person that is conducting business for profit.  Disposal of Records Containing PII. • Business Persons may not dispose of a record containing PII unless: • Record is shredded prior to disposal • PII contained within record is destroyed • Records modified to make PII unreadable • Follows commonly accepted industry practice to prevent unauthorized persons to gain access to PII in records.  Penalty: $5,000 fine per occurrence.
  9. 9. Personal Identifying Information  As defined by NY Gen. Bus. Law §399-h: • SSN, Driver’s License Number or Non-Driver ID Card, or: • Mother’s Maiden Name • Financial Services Account Number or Code • Savings Account Number or Code • ATM, Debit Card Number or Code • Electronic Serial Number or Personal Identification Number  As defined by Administrative Code of the City of New York § 20-117 • Date of Birth, SSN, Driver’s License#, Non-Driver Photo ID • Mother’s Maiden Name, Personal ID# • Financial Services or Brokerage Account Number or Code • Checking or Savings Account Numbers or Codes • ATM, Credit or Debit Card Number or Code • Computer System Password, Electronic Signature • Unique Biometric data • Fingerprint, voice print, retinal image or iris image of another person.
  10. 10. Case Study I – McLoughlin v. People’s United Bank (August 31, 2009)  People’s United Bank (“PUB”), based in Connecticut • Contracted with Bank of New York Mellon (“BNY Mellon”) for data services  BNY Mellon, based in New York • Maintained unencrypted backups for data services provided • Contracted with 3rd Party to provide PUB Data Backup Transport • Feb. 27, 2008, Transport Truck with broken lock left unattended • Box of six to ten unencrypted backup tapes went missing, in New Jersey  PUB and BNY Mellon sued in class action by PUB depositors • Negligence in backup practices • Deception in statements of standard of care of data • Increased Risk of Identity Theft • Failure to properly notify depositors of data breach  Case dismissed for failure to prove damages. State AG settled.
  11. 11. Cyber Liability and Data Loss Claims: A Case Study From Notice of Occurrence Through Conclusion Part II – Cyber Liability Claims, Regulatory Structure and Enforcement of Data Privacy Laws Bruce H. Raymond, Esq. Partner, Raymond Law Group LLC Glastonbury, Connecticut
  12. 12. Case Study II – Atteberry v. Schnuck Markets  Defendant Schnuck Markets, Inc., a Missouri corporation • Supermarket Chain operating in Missouri, Wisconsin, Iowa and Illinois • Computer System Compromised, breach discovered on March 15, 2013 • Credit/Debit Card info and other PII accessed by unauthorized user • Notice to customers provided via press release on March 30.  Class Action Complaint filed May 22, 2013 filed against Schnuck • Alleging: • Violation of Illinois Consumer Fraud & Deceptive Business Practices Act • Breach of Implied Contracts • Invasion of Privacy • Negligence • Third Party Beneficiary Claims
  13. 13. Questions of Law & Fact  Common questions of law and fact to all claimed Class Members: • Whether Schnuck failed to adequately secure and protect PII • Whether Schnuck violated state data breach notifications statutes • Schnuck waited two weeks before issuing Press Release. • Whether Schnuck breached an implied contract with its customers • Whether Schnuck breached customers’ privacy by disclosing private facts • Whether Schnuck was negligent.
  14. 14. Private Cause of Action  Damage Claims alleged: • Failure to notify appropriately is a private cause of action in Illinois • Implied contract breach by Schnuck • Customer obligated to provide card & PIN • Schnuck obligated to protect and reasonably safeguard customer info • Customers needed to devote time to cancel prior cards, set up new ones • “To mitigate now heightened risk of further and future identity theft” • Thereby causing tangible damages. • Disclosure of Customers’ PII constitutes Invasion of Privacy • Third party beneficiary of Schnuck’s Payment Card Industry agreements • And Schnuck’s failure to comply with PCI DSS. • Negligence if not Intentional Conduct by Schnuck
  15. 15. U.S. Federal Regulatory Infrastructure  Sector-Based Federal Statutes, enforced by: • FEDERAL TRADE COMMISION: • Deceptive Trade Practices: Commercial conduct that includes false or misleading claims or claims that omit material facts. Consumer injury not required to be actionable. • Unfair Trade Practices: Commercial conduct that causes (or is likely to cause) substantial injury to consumers that Consumers cannot reasonably avoid themselves without offsetting benefits to consumers or competition. • U.S. DEP’T OF HEALTH AND HUMAN SERVICES • HIPAA, HI-TECH and Personal Health Information (“PHI”) • Office of Civil Rights: HIPAA Privacy Rule • Center for Medicaid Services: HIPAA Security Rule
  16. 16. Other Regulatory Infrastructure  State statutes on data breach notification and other areas of data privacy are enforceable either by: • State Attorney General • If so provided, by Private Cause of Action directly from affected Consumer  International Law • Comprehensive Model: European Union • Sectoral Model: Japan (and United States) • Co-Regulatory and Self-Regulatory: Industry sets standards • Co-Regulatory: With governmental support (Australia and New Zealand) • Self-Regulatory: Without governmental support (eg. PCI DSS)
  17. 17. Reducing Exposure  Preparing for a data security incident • Data Security Risk Assessment PRIOR to events • Address potential security issues • Set up Response Team and Plan, just in case…  Managing a data security incident • Technical Support for data forensics and remediation • Legal Support for compliance and defense preparation • Management Support and Communications  Defending against Cyber Liability Claims
  18. 18. Cyber Liability and Data Loss Claims: A Case Study From Notice of Occurrence Through Conclusion Part III – Privacy and Network Security Insurance Josh Ladeau Assistant Vice President Technology, Privacy and Network Security Allied World Assurance Company
  19. 19. Financial Impact of a Breach  Industry Class/Type of Information Stored or Processed  Determining Extent of Breach  Volume/Sensitivity of Information – Mass General, BCBS TN  Notification to Clients and Credit Monitoring  Regulatory Reaction  Public Relations  Potential for Liability Suits  Lost Income and Costs to Restore Information  Reputation/Long-term Impact
  20. 20. How Can Insurance Help?  Policy Structure  Reimbursement/Pay-on-Behalf for 1st Party Costs  Vendor Relationships  Regulatory Coverage  Defense and Settlement  Business Interruption
  21. 21. Proactive Underwriting  Application Process as a Risk Management Tool  Policies and Procedures  Technical Controls  Most Needed And Most Effective for Small and Mid-market Risks  Awareness Key  Impact to Premium/Coverage